Automatically adding ccs based on suspected regression changelists:

[builtins] Re-enable Set and WeakSet constructor fast path. by peter.wm.wong@gmail.com - https://chromium.googlesource.com/v8/v8/+/9c5053bf4d2f2ebc4973f51ff46a0b93b95d154d

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.

I don't have a chromium email, could someone post the reproduction case? I can start looking at this today.

The repro is:


  switch (typeof value) {
  }
function assert() {
};
  let $ = {
    evalScript() {
    }  };
__v_4 = [0.5];
print("v8-foozzie source: /test262/built-ins/Set/set-iterator-next-failure.js");
__v_4[Symbol.iterator] = function() {
};
  new Set(__v_4);

Not sure if this is caused by slow-path or stress-marking, which are passed both below due to an experiment.

FYI output is:
# Compared x64,ignition with x64,slow_path_opt
#
# Flags of x64,ignition:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed -216644175 --turbo-filter=~ --noopt --suppress-asm-messages
# Flags of x64,slow_path_opt:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed -216644175 --always-opt --force-slow-path --suppress-asm-messages --stress-marking=100
#
# Difference:
+ /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-07775.js:12: TypeError: undefined is not an iterator
#
# Source file:
/test262/built-ins/Set/set-iterator-next-failure.js
#
### Start of configuration x64,ignition:
v8-foozzie source: /test262/built-ins/Set/set-iterator-next-failure.js
### End of configuration x64,ignition
#
### Start of configuration x64,slow_path_opt:
v8-foozzie source: /test262/built-ins/Set/set-iterator-next-failure.js
/mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-07775.js:12: TypeError: undefined is not an iterator
new Set(__v_4);
^
### End of configuration x64,slow_path_opt

 Issue 804188  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/55efb6cc5dd0ae28b9cc41da31fe86069487c113

commit 55efb6cc5dd0ae28b9cc41da31fe86069487c113
Author: peterwmwong <peter.wm.wong@gmail.com>
Date: Thu Jan 25 11:11:29 2018

[builtins] Fix Collection constructor when entries have custom iteration.

- Introduce new helper IsFastJSArrayWithNoCustomIteration.
  - Consolidates all entry array checks...
    - Is a fast array (defers to BranchIfFastJSArray)
    - No possibility that the Array's iteration protocol has been tampered with
- Introduce new BoolT constant helpers Int32TrueConstant and Int32FalseConstant.

Bug:  chromium:804176 ,  chromium:804188 
Change-Id: I6b08396484682dc680b431ea564a7a28eeab8108
Reviewed-on: https://chromium-review.googlesource.com/883065
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50867}
[modify] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/src/bootstrapper.cc
[modify] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/src/builtins/builtins-collections-gen.cc
[modify] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/src/code-stub-assembler.cc
[modify] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/src/code-stub-assembler.h
[modify] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/src/compiler/code-assembler.h
[modify] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/src/contexts.h
[add] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/test/mjsunit/es6/collections-constructor-custom-iterator.js
[add] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/test/mjsunit/es6/collections-constructor-with-modified-array-prototype.js
[add] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/test/mjsunit/regress/regress-804176.js
[add] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/test/mjsunit/regress/regress-804188.js

ClusterFuzz testcase 5110442736484352 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 50866:50867.

Detailed report: https://clusterfuzz.com/testcase?key=5259369318187008

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,slow_path_opt
  sources: ebc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=50690:50691
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=50866:50867

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5259369318187008

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.